Krebs on Security

In-depth security news and investigation

Dual-Use Software Criminal Case Not So Novel

“He built a piece of software. That tool was pirated and abused by hackers. Now the feds want him to pay for the computer crooks’ crimes.”

The above snippet is the subhead of a story published last month by the The Daily Beast titled, “FBI Arrests Hacker Who Hacked No One.” The subject of that piece — a 26-year-old American named Taylor Huddleston — faces felony hacking charges connected to two computer programs he authored and sold: An anti-piracy product called Net Seal, and a Remote Administration Tool (RAT) called NanoCore that he says was a benign program designed to help users remotely administer their computers.

Photo illustration by Lyne Lucien/The Daily Beast

The author of the Daily Beast story, former black hat hacker and Wired.com editor Kevin Poulsen, argues that Huddleston’s case raises a novel question: When is a programmer criminally responsible for the actions of his users?

“Some experts say [the case] could have far reaching implications for developers, particularly those working on new technologies that criminals might adopt in unforeseeable ways,” Poulsen wrote.

But a closer look at the government’s side of the story — as well as public postings left behind by the accused and his alleged accomplices — paints a more complex and nuanced picture that suggests this may not be the case to raise that specific legal question in any meaningful way.

Mark Rumold, senior staff attorney at the Electronic Frontier Foundation (EFF), said cases like these are not so cut-and-dry because they hinge on intent, and determining who knew what and when.

“I don’t read the government’s complaint as making the case that selling some type of RAT is illegal, and if that were the case I think we would be very interested in this,” Rumold said. “Whether or not [the government’s] claims are valid is going to be extraordinarily fact-specific, but unfortunately there is not a precise set of facts that would push this case from being about the valid reselling of a tool that no one questions can be done legally to crossing that threshold of engaging in a criminal conspiracy.”

Citing group chat logs and other evidence that hasn’t yet been made public, U.S. prosecutors say Huddleston intended NanoCore to function more like a Remote Access Trojan used to remotely control compromised PCs, and they’ve indicted Huddleston on criminal charges of conspiracy as well as aiding and abetting computer intrusions.

Poulsen depicts Huddleston as an ambitious — if extremely naive — programmer struggling to make an honest living selling what is essentially a dual-use software product. Using the nickname “Aeonhack,” Huddleston marketed his NanoCore RAT on Hackforums[dot]net, an English-language hacking forum that is overrun with young, impressionable but otherwise low-skilled hackers who are constantly looking for point-and-click tools and services that can help them demonstrate their supposed hacking prowess.

Yet we’re told that Huddleston was positively shocked to discover that many buyers on the forum were using his tools in a less-than-legal manner, and that in response he chastised and even penalized customers who did so. By way of example, Poulsen writes that Huddleston routinely used his Net Seal program to revoke the software licenses for customers who boasted online about using his NanoCore RAT illegally.

We later learn that — despite Net Seal’s copy protection abilities — denizens of Hackforums were able to pirate copies of NanoCore and spread it far and wide in malware and phishing campaigns. Eventually, Huddleston said he grew weary of all the drama and sold both programs to another Hackforums member, using the $60,000 or so in proceeds to move out of the rusty trailer he and his girlfriend shared and buy a house in a low-income corner of Hot Springs, Arkansas.

From the story:

“Now even Huddleston’s modest home is in jeopardy,” Poulsen writes. “As part of their case, prosecutors are seeking forfeiture of any property derived from the proceeds of NanoCore, as well as from Huddleston’s anti piracy system, which is also featured in the indictment. ‘Net Seal licensing software is licensing software for cybercriminals,’ the indictment declares.

“For this surprising charge—remember, Huddleston use the licenses to fight crooks and pirates—the government leans on the conviction of a Virginia college student named Zachary Shames, who pleaded guilty in January to selling hackers a keystroke logging program called Limitless. Unlike Huddleston, Shames embraced malicious use of his code. And he used Net Seal to protect and distribute it.

“Huddleston admits an acquaintanceship with Shames, who was known on HackForums as ‘Mephobia,’ but bristles at the accusation that Net Seal was built for crime. ‘Net Seal is literally the exact opposite of aiding and abetting’ criminals, he says. ‘It logs their IP addresses, it block their access to the software, it stops them from sharing it with other cyber criminals. I mean, every aspect of it fundamentally prevents cybercrime. For them to say that [crime] is its intention is just ridiculous.’”

Poulsen does note that Shames pleaded guilty in January to selling his Limitless keystroke logging program, which relied on Huddleston’s Net Seal program for distribution and copy protection.

Otherwise, The Daily Beast story seems to breeze over relationship between Huddleston and Shames as almost incidental. But according to the government it is at the crux of the case, and a review of the indictment against Huddleston suggests the two’s fortunes were intimately intertwined.

From the government’s indictment:

“During the course of the conspiracy, Huddleston received over 25,000 payments via PayPal from Net Seal customers. As part of the conspiracy, Huddleston provided Shames with access to his Net Seal licensing software in order to assist Shames in the distribution of his Limitless keylogger. In exchange, Shames made at least one thousand payments via PayPal to Huddleston.”

“As part of the conspiracy, Huddleston and Shames distributed the Limitless keylogger to over 3,000 people who used it to access over 16,000 computers without authorization with the goal and frequently with the result of stealing sensitive information from those computers. As part of the conspiracy, Huddleston provided Net Seal to several other co-conspirators to assist in the profitable distribution of the malicious software they developed, including prolific malware that has repeatedly been used to conduct unlawful and unauthorized computer intrusions.”

A screen shot of Zach “Mephobia” Shames on Hackforums discussing the relationship between his Limitless keylogger and Huddleston’s (Aeonhack) Net Seal anti-piracy and payment platform.

Allison Nixon, director of security research for New York City-based security firm Flashpoint, observed that in the context of Hackforums, payment processing through Paypal is a significant problem for forum members trying to sell dual-use software and services on the forum.

“Most of their potential customer base uses PayPal, but their vendor accounts keep getting suspended for being associated with crime, so people who can successfully get payments through are prized,” Nixon said. “Net Seal can revoke access to a program that uses it, but it is a payment processing and digital rights management (DRM) system. Huddleston can claim the DRM is to prevent cybercrime, but realistically speaking the DRM is part of the payment system — to prevent people from pirating the software or initiating a Paypal chargeback. Just because he says that he blocked someone’s license due to an admission of crime does not mean that was the original purpose of the software.”

Nixon, a researcher who has spent countless hours profiling hackers and activities on Hackforums, said selling the NanoCore RAT on Hackforums and simultaneously scolding people for using it to illegally spy on people “could at best be seen as the actions of the most naive software developer on the Earth.”

“In the greater context of his role as the money man for Limitless Keylogger, it does raise questions about how sincere his anti-cybercrime stance really is,” Nixon said. “Considering that he bought a house from this, he has a significant financial incentive to play ignorant while simultaneously operating a business that can’t make nearly as much money if it was operated on a forum that wasn’t infested with criminals.”

Huddleston makes the case in Poulsen’s story that there’s a corporate-friendly double standard at work in the government’s charges, noting that malicious hackers have used commercial remote administration tools like TeamViewer and VNC for years, but the FBI doesn’t show up at their corporate headquarters with guns drawn.

But Nixon notes that RATs sold on Hackforums are extremely dangerous for the average person to use on his personal computer because there are past cases when RAT authors divert infected machines to their own botnet.

A Hackforums user details how the Blackshades RAT included a backdoor that let the RAT’s original author secretly access systems infected with the RAT.

“If a person is using RAT software on their personal machine that they purchased from Hackforums, they are taking this risk,” Nixon said. “Programs like VNC and Teamviewer are much safer for legitimate use, because they are actual companies, not programs produced by teenagers in a criminogenic environment.”

All of this may be moot if the government can’t win its case against Huddleston. The EFF’s Rumold said while prosecutors may have leverage in Shames’s conviction, the government probably doesn’t want to take the case to trial.

“My guess is if they want a conviction, they’re going to have to go to trial or offer him some type of very favorable plea,” Rumold said. “Just the fact that Huddleston was able to tell his story in a way that makes him come off as a very sympathetic character sounds like the government may have a difficult time prosecuting him.”

If you enjoyed this story, take a look at a related piece published here last year about a different RAT proprietor selling his product on Hackforums who similarly claimed the software was just a security tool designed for system administrators, despite features of the program and related services that strongly suggested otherwise.

75 comments

A very interesting publication. What is missing here I think – that it’s totally ok to suspect intent for law enforcement, prosecution always suspects intent, that’s their job. What’s entirely wrong in my point of view and the way I understand journalism is when the reporter clearly takes the side of the law enforcement, like this reporter by the way always does. I can understand that the law enforcement has proofs which they have not shown yet , like Skype chat logs etc, which were likely sufficient to start the case, however what proofs did this reporter knows of to have to come to the same one sided conclusion? Did he really see those proofs himself? Well they are not mentioned in this article. The reporter instead basically suggests everyone to believe they exist because otherwise the law enforcement would have not started the case at all since the reporter presumes the law enforcement to be some sort of saints who never mistake likely. This is a very common somewhat propaganda trap so to say , forgive me my English please. In my opinion the prosecution has enough power against any accused person to deal with it on their own without the need of any public opinion influencing and when normally when articles like this appear it means that on the contrary the prosecution really does not have such a good position as they thought they have. Don’t know how it is in USA , but in Russia in fact such publications normally are considered to be illegal as they are taking sides before the person is yet found guilty, however they appear here all the time anyways as well. I’d call it police reporting if I could. Whenever I read them it’s like it’s not really reporting or investigations – it feels more like prosecutors final speech in the court, as if prosecutor wrote it. That’s what i don’t understand is tons of supportive comments they get in USA , in Russia people tend to be more careful than to applaud happily for each prosecutor speech, some of those careful people , perhaps even more careful are other prosecutors. ))))))

I like it. Keep it going Krebs. This guy’s long winded statement has no grounds here with his criminal background.
He says,
“in Russia in fact such publications normally are considered to be illegal as they are taking sides before the person is yet found guilty”

We’re not in Russia my vodka drinking friend.

That’s one of many reasons why my family left the Soviet Union to begin with.

Many are weary of these actions by our government. You may think us evil Americans don’t understand the fine line the government skates, but we are well aware of this.

If I make a product, and sell it in a legitimate method, to legitimate everyday customers, I should have no reason to suspect massive misuse of said product.

When I decide to solely distribute my product on HackForums, despite the intended use, I have to expect that at the very least, a sizable portion of my customers are going to use it exclusively for illegal purposes. He knew very well that this would be a red flag, and if not that’s his own problem.

What’s important now is if the government can show proof that he indeed knew it was being mis-used and continued to support the sale and support of the product.

VNC is a frequently abused tool, yes, but it does not, last time I checked, include keystroke logging or turning on the camera.

But, like you said, it boils down to “intent”. And we’ll see the selective picture each side paints based on years of forum posts, chat logs, payment history, and whatever digital detritus they can find.

Did anyone ever go to jail for Back Orifice? Netbus? Sub7? It really does seem like they are going after the developer just because they can’t catch all the users. Sour grapes and all that.

I think the comparison to gun manufactures is quite apt. Nobody goes after Smith and Wesson, and it is still legal to 3D print your own receiver based on designs someone else posted on the Internet. Why is this software different?

If gun companies were selling weapons on street corners and back allies in Chicago, it would be an apt comparison. This was at the heart of my comment above. The fact is, when they’re sold legally and with background checks, licenses, ect, they have no reason to believe the majority or even a large number of those weapons will be used illegally. They cannot make that statement if they are selling them cash only on the streets.

The gun manufacturers know many of their guns will be used illegally by criminals, oppressive regimes, or terrorists. Some of these are direct sales, some indirect.
But a teenage hacker trying to sell a RAT or licensing DRM program does not have the same network of wholesalers and arms dealers.

I see this as going after the maker of a gun after the gun was used in a hold up. If I were on the jury jury nullification would happen. People should be able to produce whatever software they want, sell it to whom they wish, and if someone uses it illegally, go after THEM. Making it illegal gets in the way of innovation for those using it to develop something useful to all.